For several days not that long ago, Jordan Reid's site,
ramshackleglam.com, did not belong to her. She got it back, but
only after the involvement of fifty or so employees of six
different companies, middle-of-the-night conferences with lawyers,
FBI intervention, and what amounted to a massive sting operation.
Here's her story.

For several days not so long ago, RamshackleGlam.com — the
domain name that I have owned and operated since March of
2010 — did not belong to me, but rather to a man who goes by the
name “bahbouh” on an auction website called Flippa, and who was
attempting to sell off the site to the highest bidder (with a “Buy
It Now” price of $30,000.00). He promised the winner my traffic, my
files, and my data, and suggested that I was available “for hire”
to continue writing posts (alternatively, he was willing to provide
the winner with “high-quality articles” and “SEO advice” to
maintain the site’s traffic post-sale).

I learned that my site was stolen on a Saturday. Three days
later I had it back, but only after the involvement of fifty or so
employees of six different companies, middle-of-the-night
conferences with lawyers, FBI intervention, and what amounted to a
sting operation that probably should have starred Sandra Bullock
instead of…well…me.

Of course I’ve heard of identity theft, and of cyber hacking,
but honestly, my attitude towards these things was very much “it
could never happen to me.” And even if it did…I didn’t exactly
understand why it was such a huge deal. Couldn’t you just explain
to people what had happened, prove who you were, and sort it all
out? We live in such a highly documented world, it seemed
completely impossible to me that someone could actually get away
with pretending to be someone else with any real consequences
beyond a few phone calls and some irritation.

It’s much, much worse — more threatening, more upsetting, and
more difficult (if not impossible) to fix — than I’d ever
imagined.

I found out about the hacking from my father. His friend Anthony
(who runs a web development and consulting company called
ThoughtBox) had been surfing around on Flippa and had — in an
impossibly lucky coincidence — noticed that my site was up for
auction, with what appeared to be a highly suspicious listing.
Suddenly, I remembered the email I had gotten the day before — an
email that I had disregarded as spam — from someone “interested in
the purchase” of my “weblog.” I remembered the notification from
YouTube that someone had accessed my account from a different
location — a notification I had ignored, assuming that I had logged
in on a mobile device or that my husband had accidentally logged
into my account instead of his own.

But even after I saw the listing, I didn’t panic: this seemed
like something that could be fixed with a couple of emails. Except
the auction site was located in Australia and didn’t appear to have
a phone number, and when I sent an email with a scanned ID and
proof of ownership what I got back was a form letter. And when I
called HostMonster, the site I pay to operate my website, I
discovered that I was no longer the owner of my site: someone had
used their email confirmation system to authorize the transfer of
my domain name into a private account at GoDaddy (another web
registrar service of whom I’m also a client).

Why is this a big deal?

If you have a business that depends on a URL, you understand why
this was such upsetting news: With control over my website’s domain
name, a hacker would be able to take the site down, or redirect it
elsewhere. Further, it was later verified that the hacker had
control over all of the site’s content, as well; he could have just
rerouted everything I’ve ever written to any location he
wanted.

Ramshackle Glam may be “just” a lifestyle blog about things like
parenting and fashion and decor…but it’s also a site that I’ve
spent five years of my life building, and the idea of it falling
into the hands of someone with malicious intent was heartbreaking.
I could switch to a new URL and export a copy of my content (which
I do back up), but that would result in the loss of a substantial
amount of traffic. The website is my primary source of income, and
with a house, two children, a book coming out, and a husband in
business school, this was not a joke. The loss of my URL had the
potential to be devastating for my business and for my family in a
very real way.

So what did I do?

The events of the next few days were complicated, so rather than
go through them chronologically I’m going to explain how each path
I took ended up panning out (I’m going into detail so that I can be
as much help as possible to anyone who goes through this
themselves).

1. I tried to resolve the situation directly with GoDaddy and
HostMonster. This did not work.

From Sunday through Tuesday, I spent most of the day (and much
of the night) on the phone with GoDaddy, HostMonster, or both at
the same time, and nearly every person I spoke with gave me the
same response: “Sorry, can’t help you.”

HostMonster maintained that because they no longer controlled
the domain name, there was nothing they could do. GoDaddy
maintained that because the account was private and the person had
obtained ownership of the domain through a transfer from
HostMonster, there was nothing they could do.

What finally made a difference: I cited ICANN’s policy on Domain
Name Dispute Resolution.* This got my case upgraded, but it did not
result in action.

Here’s why: the legal department at HostMonster informed me that
in order for them to initiate a transfer dispute that would result
in GoDaddy releasing the domain back to me, their “internal
investigation” would have to turn up evidence that they had done
something wrong in releasing the site. In other words, they would
have to admit that they had screwed up…which would in turn open
them up to a lawsuit.

Needless to say, I never heard from the legal department again.
Despite the fact that everyone seemed clear on the fact that I
owned my website and that it had been transferred without my
authorization, nothing was going to be done unless I initiated a
time-consuming and costly lawsuit that, in any case, would not
result in action quick enough to save my domain name from being
sold.

So that avenue came to an end.

2. I called the FBI. This was a major step in the right
direction.

The morning after I found out about the unauthorized transfer, I
also called the FBI. I felt silly and dramatic making the phone
call, but the reality is that this is an international cyber crime
issue, and that’s FBI territory. And this is my business. It’s how
I support my family, and it may be a “small matter” in the grand
scheme of things, but it is not a small matter to me.

And let me tell you: of all the surprises I’ve had over the past
week or so, most surprising of all has been the FBI. They responded
immediately, with follow-up phone calls and emails, an in-person
interview with two special agents at my own home within 24 hours,
and a follow-up visit from two agents yesterday. Beyond that, each
and every agent I have interacted with over the past week has been,
without fail, compassionate, thoughtful, invested, respectful, and
committed to action…in addition to treating me not like a case
number, but like a human.

What I expected was to leave a message with a general mailbox
and at some point receive a form letter; I certainly did not expect
to see an active investigation opened immediately. I’m not going to
write more about the investigation because it’s still ongoing
(although I did ask for and receive permission to write about
this), but I think it’s important to say how absolutely blown away
I have been by the FBI’s response.

3. I tried to regain control by dealing directly with the
“seller”. This worked, but not without considerable drama.

While all of the above was going on, I was also working to
regain control over the site directly from the individual who was
trying to sell it.

I didn’t want to contact the “seller” directly, because I felt
that if he thought the “real” owner of the site was aware of the
sale, he would try to extort more money. So I asked Anthony — the
person who had found the original listing, and who had an active
account with a positive history on Flippa — to DM “bahbouh” to see
if he was interested in a “private sale”. After some back-and-forth
we reached an agreement, and it was decided that a third-party
money-transfer website (Escrow.com) would be used to make the sale:
the money would only be released to the seller upon confirmation
that the domain name had been transferred.

This appeared to be going smoothly until Tuesday night, when the
seller suddenly demanded that the funds be released immediately
(prior to receipt of the website). When we pushed back, he
announced that he was selling it to someone else: “Sorry, bye.”

So here was my thought process: if we did not release the money
to the seller, we were guaranteed to not get the website. If we did
release the money to him, there was a possibility that he would
take the money and run, and also a possibility that he would
deliver the site as promised. It wasn’t a gamble I wanted to
take…but I didn’t see any option. And so I authorized the wire
transfer.

I spent twenty minutes sitting in front of the dummy GoDaddy
account I had created to receive the domain name from the seller,
waiting to see whether I was out thousands of dollars and a domain
name, or just thousands of dollars.

And then it came through.

I immediately transferred the domain into a different account
and placed it (and all of my other domain names) on what amounted
to lockdown. And then I called the wire transfer company and placed
a stop on the payment.

The end result

RamshackleGlam.com is back in my possession, thanks to a number
of people who dedicated hours (in some cases days) out of their
lives to doing whatever they could to help me. My other
accounts — bank accounts, et cetera — have been secured. I don’t
have my money back yet, but the man who stole my site from me
doesn’t have it, either, and won’t be getting it, ever.

And that’s an ending I’m pretty damn thrilled with.

So why am I still angry?

Of course I’m angry with the person or people who stole the
site, but that’s out of my hands. The reason I’m writing this post
is to let people know that this really can happen — to anyone — and
to offer suggestions for how to minimize the chances that it will
happen to you (below), but beyond that, I’m writing this post
because this incident made me very, very angry at GoDaddy and
HostMonster. And I want you to know why.

No one at either company questioned my statement (supported by
written proof) that the website belonged to me. No one doubted that
it had been transferred without my authority. And yet I had to
spend days — days during which the hacker could have done virtually
anything he wanted — trying to reach one single person who was able
to do anything, because the support staff and supervisors I spoke
with (who had to have numbered fifty or more) were completely
uninformed as to how to handle this situation beyond saying, “Jeez,
that sucks. Can’t help you.”

And once I reached people who could help me — who could
literally make a single phone call or push a single button and
return my property to me (or simply freeze it so that it could not
be sold or destroyed) — they would not. They hid behind their legal
departments and refused to do anything, knowing full well that
their inaction would force me to either interact with and pay off a
criminal, or lose an essential component of my business.

And hackers know that these companies will do this.

They rely on it.

There is a serious problem when a criminal enterprise not only
exists “despite” a company’s policies, but actually thrives as a
direct result of that company’s prioritization of their own
interests over the security of the clients they allegedly
“protect”. Do I understand why companies like HostMonster and
GoDaddy are focused on protecting themselves against lawsuits? Of
course I do. But the fact is that they not only do not “help” their
customers, but actively contribute to creating situations that
threaten small businesses and the families that they support.

And these companies know that when they stonewall clients whose
property has obviously been stolen that these clients will have no
other recourse than to pay off criminals or watch their
businesses — sometimes their very lives — collapse. They know that
by standing in the way of immediate action they create the very
environment that these criminals depend upon to perpetuate their
business model. And they do nothing.

This has to change.

My opinion, for what it’s worth

Support personnel at hosting companies should be made intimately
familiar with ICANN regulations involving domain disputes, and
should be able to initiate a plan of action the first time a client
makes them aware of a situation, not after hours and hours of
repeated calls.

Further, the establishment of a TEAC** should result in an
immediate freeze on the account in dispute until the situation has
been resolved. This should not require an admission of culpability
on the part of any parties; simply an acknowledgement that a
dispute exists and an awareness that while the dispute exists the
domain must be held safe from sale or transfer.

What you can do to reduce the chances that this will happen to
you:

Have a really, really good password, and change it often. Your
password should not contain “real” words (and definitely not more
than one real word in immediate proximity, like “whitecat” or
“angrybird”), and should contain capital letters, numbers and
symbols. The best passwords of all look like total nonsense.

If possible, use a separate computer (an old one or a cheap one
purchased for this purpose) for things like banking; if your family
computer is the same one that you use for bank transactions you
risk having your kids click on a bad link that results in a
hacking.

Turn off your computer and personal devices when they’re not in
use.
Have antivirus software on your computer (but remember that virus
scans only catch 30–40% of viruses, so unfortunately a “clean”
check doesn’t necessarily mean that you’re safe).

Purchase CyberRisk Insurance (learn more about it here; it
basically protects businesses from cyber attacks and data
breaches.

But if it does happen to you, here’s what to do:

Begin taking careful notes (and screenshots) immediately. Don’t
delete any emails or other information; it could all be important
later on.

Immediately change all of your passwords (including — but not
limited to — domain registrar, website hosting, website login
information, email, bank accounts, wireless home electronics, and
Apple ID) according to the rules stated below. I changed mine every
few hours while this situation was still up in the air, and am
continuing to change them every few days for the time being.

Contact the registrar(s), citing the ICANN policy below, and see
if together you can arrive at a speedy resolution. Don’t be
surprised if you find yourself running into dead ends.

Make sure to inquire about “filters” and “rules” that may have
been placed on your email (basically, any kind of device that the
hackers may have placed to forward emails, et cetera).

Contact appropriate law enforcement (I contacted the FBI because
it appeared to be an international issue, and was at the very least
an interstate issue because Escrow.com is located in California,
and I’m in New York).

Note: Every situation is different, and I can’t wholeheartedly
recommend the steps that I took that ultimately resulted in me
regaining control over my domain name largely because they involved
interacting with criminals. Obviously that isn’t ideal, and can
have unpredictable consequences. (Although my husband says that he
would like it to be known that he thinks I’m a huge badass. While
this is ordinarily very far from the truth, in this specific
instance…I’ll take it.)

The End. (That was long. Thanks for reading.)

*ICann.Org is the Internet Corporation for Assigned Names and
Numbers (ICANN) is responsible for managing and coordinating the
Domain Name System (DNS). ICANN’s policy on Domain Name Dispute
Resolution essentially states that in the case of a domain dispute,
the Losing Registrar (the registrar that maintained possession of
the domain name pre-transfer, as opposed to the “Winning
Registrar”, who maintains possession of the domain name
post-transfer). must immediately establish a Transfer Emergency
Action Contact (“TEAC“) in an effort to get the ball rolling in the
direction of resolution right away). Once I had this information,
my case was immediately upgraded.

**TEAC: A contact that is established by ICANN and used by other
registrars and ICANN if there is a need to quickly address issues
with domain transfers between two registrars. The contact must
respond to inquiries within four hours, though final resolution may
take longer.

About the Podcast

The official podcast of the freeCodeCamp open source community.
Learn to code with free online courses, programming projects, and interview preparation for developer jobs.